Hacker HD Moore, the creator of Metasploit and chief security officer at Rapid7, has found that videoconferencing equipment is often left wide open for hackers to creep in and peep around organizations.

As described in a report by the New York Times, Moore has demonstrated how he could remotely tour a dozen conference rooms around the globe via the nearly ubiquitous videoconferencing system.

The NYT article details his explorations, which included both rodent stalking and more worrisome, eagle-eyed peeping Tom abilities, thusly:

With the move of a mouse, he steered a camera around each room, occasionally zooming in with such precision that he could discern grooves in the wood and paint flecks on the wall. In one room, he zoomed out through a window, across a parking lot and into shrubbery some 50 yards away where a small animal could be seen burrowing underneath a bush. With such equipment, the hacker could have easily eavesdropped on privileged attorney-client conversations or read trade secrets on a report lying on the conference room table.

Moore has let himself into several top venture capital and law firms, pharmaceutical and oil companies, and courtrooms. He’s made it into the boardroom of Goldman Sachs, as well.

It’s unclear how the organisations feel about HD Moore’s intrusion into their offices.

Here’s what Rapid7 CEO Mike Tuchen told the NYT about what this easy trespassing means:

The entry bar has fallen to the floor. These are literally some of the world’s most important boardrooms - this is where their most critical meetings take place - and there could be silent attendees in all of them.

The problem, they say, is that the videoconferencing systems – which rely on an internet protocol that’s like a fancy version of Skype – are being set up outside network firewalls, allowing them to receive calls without administrators having to deal with complex network configuration.

Other issues causing the security hole, as paraphrased from the NYT article:

New systems are often outfitted with a feature that automatically accepts inbound calls so users do not have to press an "accept" button every time someone dials into their videoconference. The effect is that anyone can dial in and look around a room, and the only sign of their presence is a tiny light on a console unit, or the silent swing of a video camera.

Some systems ship with a default setting of no security enabled. Of the Polycom videoconference systems that popped up in Mr. Moore's scan, none blocked control of the camera, asked for a password or muted sound.

To date, no company has reported being hacked via videoconferencing system. But office hardware is far from immune.

One case the NYT points out was a security breach at the United States Chamber of Commerce in December 2011, when the Chamber discovered that its office printer and a thermostat had been communicating with a Chinese IP address. A subsequent investigation found that hackers had intercepted at least six weeks’ worth of email from Asia policy experts.

Around the same time, researchers at Columbia University revealed that remote hackers could install malicious firmware on some HP printers without the owners realizing that they were under attack.

These threats mostly remain in the realm of the hypothetical.

The worst known consequence of the Chamber hack occurred last March, when a printer went berserk and randomly started printing documents with Chinese characters. News reports lack any mention of a Chamber thermostat maliciously spiking in attempts to bake or freeze visitors.

But the theoretical consequences of printer hacking – that document images could be retrieved from printer RAM, that they could be intercepted from wireless printing, that a bad actor who detests trees will deplete your paper tray and waste your expensive ink to print spam – should be worrisome for companies or government bodies with serious concerns about espionage.

The same goes for videoconferencing. Moore has brought attention to a means for spies to infiltrate an organization to eavesdrop and have a look around without being detected.

Any organization vulnerable to espionage should be aware that their videoconferencing system could turn into a set of prying eyes and eavesdropping ears, and should deal with the network configuration so as to lock it down accordingly behind the firewall.

Post navigation

About the author

Lisa has been writing about technology, careers, science and health since 1995. She rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash and joined the freelancer economy. Alongside Naked Security Lisa has written for CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output.

"News reports lack any mention of a Chamber thermostat maliciously spiking in attempts to bake or freeze visitors". Brilliant….____I'm sure there are cleverer ways to intercept email (sniffing all traffic to any IP address is so simple), but yeah, a printer definitely could potentially be a door to the inside.____The fact that the hackers made their presence know with a bit of misschief could mean that they never found the key in and decided just to send a message. ____I see a new opportunity in security expertise opening up ! Printer hardening :)____Nice story..____Thx,__Marcel

Seriously. Anyone (meaning almost all Corporate Security Professionals) who has ever taken time to talk with the AV (audio-video-telephony) team has known most of this since at least 2004. Nice to see it in Metasploit though. This vector is so old news…

Our system lights up (with ringing sound), swings out the camera, turns on two 42″ screens and it takes 30-60 seconds before it picks up, so it would be like someone (really slow and noisy) coming into the room. Also the wireless MIC is off when its in its charger.

The articles scenario was discussed when setting up the system but we found it very unlikely it would pose a problem and if it did, it would easily be discovered and fixed!

Good use for the thermostat hacking..social engineering…Could be possible to see when a specific room or building is being actively used. After monitoring the thermostat usage for a while, You could also easily pose as someone that works for the HVAC company. Call up the victim and play the role. Ask the right questions and make the right comments..talk about how the usage has been and that you believe there may be some problems. Make a change to the temp while on the phone and confirm the change with the victim. Now they see your access and you can work on trust. Then, maybe schedule an onsite visit to inspect the system. Wear the right clothes and relay the data discussed over the phone and you'll probably get into the building with no problem and the ability to venture around unsupervised. etc etc…

Or even better, gain access to the thermostat that controls the temp in a datacenter or server room.

So many things can be done with thermostat control…just need to be creative.

As for the printer hack….espionage is not the only concern…for printer/fax/scanner devices…anything you've ever printed, faxed, or scanned can possibly be retrieved…cc data, ss#'s from companies processing loans etc…Could probably even redirect a copy of all the printer's activities to an external source…or again, social engineering acting as printer repair etc..

Brilliant thermostat hacking scenarios! I'll admit, some of the theoretical hacks sound a bit too Hollywood, but seriously, what would InfoSec be without what one might call paranoia but what more positively could be called proactive imagination?

I just wanted to clarify that we did NOT access Goldman Sachs boardroom! During the course of the research we discovered that some apparently secure systems – such as that belonging to Goldman Sachs – were still vulnerable through so-called “trusted” 3rd party systems that were less secure. We did not take advantage of this to go into Goldman Sachs though.